oss-sec mailing list archives
Re: jar(1) -- directory traversal
From: Moritz Muehlenhoff <jmm () debian org>
Date: Wed, 15 Apr 2015 09:55:49 +0200
On Fri, Jan 16, 2015 at 06:03:55AM +0300, Alexander Cherepanov wrote:
Hi! jar(1) in Debian jessie (openjdk-7-jdk 7u71-2.5.3-2) is susceptible to a directory traversal vulnerability via absolute and relative paths. Other distros could also be interested in this issue. Initial report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774953 Not sure if this is just CVE-2005-1080 not fixed or something else. But please note that CVE-2005-1080 talks about .. only. Debian security team forwarded the report to Oracle Security Team at 2015-01-12 11:01 +0100. Thanks!
This appears to have been fixed in the recent Java CPU and was assigned CVE-2015-0480: http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html Cheers, Moritz
Current thread:
- Re: jar(1) -- directory traversal Moritz Muehlenhoff (Apr 15)